Win32 API utterly and irredeemably broken

Windows might possibly be the most insecure piece of viral code ever to infect a computer, according to Chris Paget who's found a fascinating hole in the Win32 Messaging System which he believes is irreprarable, and which he posted to the BugTraq security mailing list.

The research leading to this discovery was inspired by MS Veep Jim Allchin, who testified to the effect that if flaws in the Windows Messaging System were sufficiently understood, national security would be deeply compromised, CRUISE missiles would be launched remotely, and /bin/laden would most likely find some novel way of raping your daughter with his big bad mouse.

Paget has brought at least some of Allchin's fears to fruition:

"Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it sends a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

"This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel."

He's developed an application called "Shatter" (a bit grotty imho judging by a quick poking into the source files) that exploits the WMS in a limited context relevant to NAI VirusScan v4.5.1, which he believes can be expanded to suit numerous other applications.

It looks quite workable (I've not tested it), and if used properly with a hex editor and a debugger ought to yield an escalation of privilege within a running VirusScan window, from a user account to the LocalSystem account. Then you paste in your shellcode. Even if it's preposterously sloppy it should work; something like 4GB of space ought to be available. For your convenience Paget has provided an example, weighing in at a sleek 1.7KB (if you can't do that much on your own, you really ought not to be playing with stuff of this nature).

"You can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue so the application doesn't even have the chance to ignore it. Silly, silly, silly...

"So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's [No Operation] in front of the shellcode, so we should land slap bang in the middle of them... Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy."

Several BugTraq skeptics have observed that it's more the application developer than MS which has made this possible.

"This class of attack is not new, it has been discussed before. While you can assert that the blame lies with Microsoft (and I'll admit they do have some responsibility to address the problem you describe) the chief blame lies with the vendor of the software whose bad programming you are exploiting. There is no excuse to put a window for a process with the LocalSystem security context on a user's desktop. I am not aware of any Microsoft application that makes such a mistake," list member John Howie observes.

In any event you gotta love a guy with the nads to publish what has got to be the most unflattering portrait of himself ever taken, for which we're duly and humbly respectful.

On the other hand there is this bit of Gibson-esque self promotion: "able to program in 23 languages on 14 platforms, [Paget] takes an average of 3 days to learn a new programming language. He's currently available as a freelance security consultant." Only 23, Chris? And only three days? With miraculous powers of comprehension like that we have to wonder what's slowing you down. If I could learn a language in three days, I'd be conversant in every last one of them, including archaeological freaks like ALGOL.

Somebody jokin'. ®

Update

Reader Gavin Brown points us to a Paget pic that probably belongs on Rotten.com.